CVE-2017-5960

Name of the Vulnerable Software and Affected Versions Phalcon Eye versions through 0.4.1

Description The issue exists due to insufficient filtration of user-supplied data in multiple HTTP GET parameters passed to the "phalconeye-master/public/external/pydio/plugins/editor.webodf/frame.php" URL. This allows an attacker to execute arbitrary HTML and script code in a browser in the context of the vulnerable website.

Recommendations For Phalcon Eye versions through 0.4.1, as a temporary workaround, consider restricting access to the "phalconeye-master/public/external/pydio/plugins/editor.webodf/frame.php" URL until a patch is available. Avoid using user-supplied data in HTTP GET parameters for this URL to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.